A data controller is any person, authority organisation or other body which either on its own or jointly with another party determines the purposes and means of processing personal data. In simple terms, the controller is responsible for ensuring the control of the personal data.
Relationships with Data Processors
When a controller passes on responsibility for processing to a data processor it will retain control through the contract that it puts in place to manage this relationship.
Relationships with Joint Controllers
If the controller shares this responsibility jointly with another controller then it is advisable that a contract is in place (but not mandatory), but there should be a data sharing agreement in place to ensure that the data subject’s have complete transparency surrounding the relationship and the processing of their data.
An example of a Joint Controller might include the relationship between a franchisor and its franchisee, where processing of data is shared across platforms and responsibilities – a key point to recognise is that the data is being processed by both parties for the same or similar purpose..
Relationships with Controllers in Common
There are circumstances where multiple controllers process data and a contractual agreement does not exist, for example an employer sharing personal tax details with a tax authority. In these cases the statutory obligation overrides and it is unlikely that any further due diligence would be undertaken.
Responsibilities of a Data Controller
A data controller has significant responsibilities under data protection regulation, these include:
- Comply with the data protection principles
- Honour the rights of the data subject
- Deliver data protection by design and by default
- Implement data protection policy and ensure colleagues understand responsibilities
- Keep records of processing activities
- Manage the transfer of data to third parties
- Ensure safeguards are in place for data transfers to third countries.
- Appoint a data protection officer (if required)
- Ensure appropriate technical and organisational measures are in place
- Manage and mitigate any risks arising from personal data processing
- Cooperate with the supervisory authority
